Homework 1

This homework is focused on helping you develop the security mindset.

Overview

Due Date: Thursday, October 10, 5pm.

Group or Individual: Groups up to three people

How to Submit: Submit to Catalyst. Submit one PDF for your current event and one PDF for your security review. Only one group member submits. (E.g., if Alice and Bob work together, then either Alice submits a PDF for the current event or Bob submits a PDF for the current event, but not both.)

Background

They say that one of the best ways to learn a foreign language is to immerse yourself in it. If you want to learn French, move to France. This assignment is designed to give you an opportunity to think about security during non-course related activities, such as when you're reading news articles, talking with friends about current events, or when you're reading the description of a new product on Slashdot. Thinking about security will no longer be a chore relegated to the time you spend in lecture, on assigned readings, on textbook assignments, or on labs. You may even start thinking about security while you're out walking your dog, eating breakfast, at the gym, or at a movie. In short, you will be developing "The Security Mindset" and will start thinking like a seasoned security professional.

It is also extremely important for a computer security practitioner (and actually all computer scientists) to be aware of the broader contextual issues surrounding technology. Technologies don't exist in isolation, rather they are but one small aspect of a larger ecosystem consisting of people, ethics, cultural differences, politics, law, and so on. This assignment and the use of the forum will give you an opportunity to discuss and explore these "bigger picture" issues as they relate to security.

Current Event Reviews

Current events reviews should be short, concise, very thoughtful, and well-written. Imagine a broad audience (a general technical audience). Your goal should be to write an article that will help this audience learn about and understand the computer security field and how it fits into the broader context.

Your article should:

summarize the current event;

discuss why the current event arose;

reflect on what could have been done different prior to the event arising (to perhaps prevent, deter, or change the consequences of the event );

propose possible reactions to the current event (e.g., how the public, policy makers, corporations, the media, or others should respond).

There are some examples of past current event articles here. (You might have to scroll down a bit.) Unlike past years, however, you will not be required to post your current event to a forum or blog.

Security Reviews

Your goal with the security review assignment is to evaluate the potential security and privacy issues with new technologies, evaluate the severity of those issues, and discuss how those technologies might address those security and privacy issues. These assignments should reflect deeply on the technology that you're discussing, and should therefore be significantly longer than your current events assignments.

Each security review should contain:

Summary of the technology that you're evaluating. You may choose to evaluate a specific product (like the Miracle Foo) or a class of products with some common goal (like the set of all implantable medical devices). This summary should be at a high level, around one or two paragraphs in length. State the aspects of the technology that are relevant to your observations below. If you need to make assumptions about a product, then it is extremely important that you state what those assumptions are. To elaborate on the latter, if you end up making assumptions about a product like the Miracle Foo, then you are not studying the Miracle Foo but "something like the Miracle Foo," and you need to make that extremely clear in your review.

State at least two assets and, for each asset, a corresponding security goal. Explain why the security goals are important. You should produce around one or two sentences per asset/goal. (You may find the Security and Privacy Threat Discovery Cards helpful here.)

State at least two possible threats, where a threat is defined as an action by an adversary aimed at compromising an asset. Give an example adversary for each threat. You should have around one or two sentences per threat/adversary. (You may find the Security and Privacy Threat Discovery Cards helpful here.)

State at least two potential weaknesses. Again, justify your answer using one or two sentences per weakness. For the purposes of these security reviews, you don't need to fully verify whether these potential weaknesses are also actual weaknesses. (You may find some overlap with your answer here and your answer to the bullet above.)

State potential defenses. Describe potential defenses that the system could use or might already be using to address the potential weaknesses you identified in the previous bullet.

Evaluate the risks associated with the assets, threats, and potential weaknesses that you describe. Informally, how serious do you think these combinations of assets, threats, and potential weaknesses are?

There are some excellent examples of past security reviews here. (The requirements for this assignment changes from year to year, so please pay attention to the specific requirements for this version of the course. Also, unlike previous years, you will not be required to post your security reviews on the forum.)

Please make your submissions easy to read. For example, use bulleted lists whenever possible. E.g., list each asset as it’s own entry in a bulleted list.

Group Work

You may do your current event articles and security reviews in groups of up to three people. In fact, you are encouraged to work in groups. But if you work in a group, please do not do something like: Have Alice work on the current event and have Bob work on the security review and then put both names on both submissions. Instead, please all work collaboratively on all parts of the assignment. There is a lot of value in actually discussing these topics with other people.

How to Submit

One person in each group should submit a PDF of the current event to the Catalyst dropbox. One person in each group should submit a PDF of the security review to the Catalyst dropbox. Make sure that the names and UWNetIDs of all contributors are at the top of each page of each PDF that you submit.